---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: '{{ ansible_operator_meta.name }}-web'
  namespace: '{{ ansible_operator_meta.namespace }}'
  labels:
    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}-web'
    {{ lookup("template", "../common/templates/labels/common.yaml.j2")  | indent(width=4) | trim }}
    {{ lookup("template", "../common/templates/labels/version.yaml.j2") | indent(width=4) | trim }}
spec:
{% if web_replicas != '' and web_manage_replicas | bool %}
  replicas: {{ web_replicas }}
{% elif replicas != '' and web_manage_replicas | bool %}
  replicas: {{ replicas }}
{% endif %}
  selector:
    matchLabels:
      app.kubernetes.io/name: '{{ ansible_operator_meta.name }}-web'
      app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
      app.kubernetes.io/component: '{{ deployment_type }}'
  template:
    metadata:
      labels:
        app.kubernetes.io/name: '{{ ansible_operator_meta.name }}-web'
        {{ lookup("template", "../common/templates/labels/common.yaml.j2")  | indent(width=8) | trim }}
        {{ lookup("template", "../common/templates/labels/version.yaml.j2") | indent(width=8) | trim }}
      annotations:
        kubectl.kubernetes.io/default-container: '{{ ansible_operator_meta.name }}-web'
{% for template in [
    "configmaps/config.yaml",
    "secrets/app_credentials.yaml",
    "storage/persistent.yaml",
  ] %}
        checksum-{{ template | replace('/', '-') }}: "{{ lookup('template', template + '.j2') | sha1 }}"
{% endfor %}
{% if public_base_url is defined %}
        checksum-configmaps-redirect-page.configmap.html: "{{ lookup('template', 'configmaps/redirect-page.configmap.html.j2') | sha1 }}"
{% endif %}
{% for secret in [
    "bundle_cacert",
    "route_tls",
    "ldap_cacert",
    "secret_key",
    "receptor_ca",
    "receptor_work_signing",
  ] %}
        checksum-secret-{{ secret }}: "{{ lookup('ansible.builtin.vars', secret, default='')["resources"][0]["data"] | default('') | sha1 }}"
{% endfor %}
{% if web_annotations %}
        {{ web_annotations | indent(width=8) }}
{% elif annotations %}
        {{ annotations | indent(width=8) }}
{% endif %}
    spec:
{% if uwsgi_listen_queue_size is defined and uwsgi_listen_queue_size|int > 128 %}
      securityContext:
        sysctls:
        - name: net.core.somaxconn
          value: "{{ uwsgi_listen_queue_size }}"
{% endif %}
      serviceAccountName: '{{ ansible_operator_meta.name }}'
{% if image_pull_secret is defined %}
      imagePullSecrets:
        - name: {{ image_pull_secret }}
{% elif image_pull_secrets | length > 0 %}
      imagePullSecrets:
{% for secret in image_pull_secrets %}
        - name: {{ secret }}
{% endfor %}
{% endif %}
{% if host_aliases is defined and host_aliases | length > 0 %}
      hostAliases:
{% for item in host_aliases %}
      - ip: {{ item.ip }}
        hostnames:
{% for hostname in item.hostnames %}
        - {{ hostname }}
{% endfor %}
{% endfor %}
{% endif %}
{% if control_plane_priority_class is defined %}
      priorityClassName: '{{ control_plane_priority_class }}'
{% endif %}
      initContainers:
{% if bundle_ca_crt  %}
        - name: init-bundle-ca-trust
          image: '{{ _init_container_image }}'
          imagePullPolicy: '{{ image_pull_policy }}'
          resources: {{ init_container_resource_requirements }}
          command:
            - /bin/sh
            - -c
            - |
              mkdir -p /etc/pki/ca-trust/extracted/{java,pem,openssl,edk2}
              update-ca-trust extract
          volumeMounts:
            - name: "ca-trust-extracted"
              mountPath: "/etc/pki/ca-trust/extracted"
            - name: "{{ ansible_operator_meta.name }}-bundle-cacert"
              mountPath: /etc/pki/ca-trust/source/anchors/bundle-ca.crt
              subPath: bundle-ca.crt
              readOnly: true
{% endif %}
{% if init_container_extra_commands %}
        - name: init
          image: '{{ _init_container_image }}'
          imagePullPolicy: '{{ image_pull_policy }}'
          resources: {{ init_container_resource_requirements }}
          command:
            - /bin/sh
            - -c
            - |
              {{ init_container_extra_commands | indent(width=14) }}
          volumeMounts:
{% if bundle_ca_crt  %}
            - name: "ca-trust-extracted"
              mountPath: "/etc/pki/ca-trust/extracted"
{% endif %}
{% if init_container_extra_volume_mounts -%}
            {{ init_container_extra_volume_mounts | indent(width=12, first=True) }}
{% endif %}
{% endif %}
{% if projects_persistence|bool and is_k8s|bool %}
        - name: init-projects
          image: '{{ _init_projects_container_image }}'
          imagePullPolicy: '{{ image_pull_policy }}'
          resources: {{ init_container_resource_requirements }}
          command:
            - /bin/sh
            - -c
            - |
              chmod 775 /var/lib/awx/projects
              chgrp 1000 /var/lib/awx/projects
          env:
            - name: MY_POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
          volumeMounts:
            - name: "{{ ansible_operator_meta.name }}-projects"
              mountPath: "/var/lib/awx/projects"
{% endif %}
      containers:
        - image: '{{ _redis_image }}'
          imagePullPolicy: '{{ image_pull_policy }}'
          name: redis
{% if redis_capabilities is defined and redis_capabilities %}
          securityContext:
            capabilities:
              add: {{ redis_capabilities }}
{% endif %}
          args: ["redis-server", "/etc/redis.conf"]
          volumeMounts:
            - name: {{ ansible_operator_meta.name }}-redis-config
              mountPath: "/etc/redis.conf"
              subPath: redis.conf
              readOnly: true
            - name: {{ ansible_operator_meta.name }}-redis-socket
              mountPath: "/var/run/redis"
            - name: "{{ ansible_operator_meta.name }}-redis-data"
              mountPath: "/data"
          resources: {{ redis_resource_requirements }}
        - image: '{{ _image }}'
          name: '{{ ansible_operator_meta.name }}-web'
          imagePullPolicy: '{{ image_pull_policy }}'
{% if web_command %}
          command: {{ web_command }}
{% endif %}
{% if web_args %}
          args: {{ web_args }}
{% endif %}
          ports:
            - containerPort: 8052
{% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
            - containerPort: 8053
{% endif %}
{% if web_liveness_period|int > 0 %}
          livenessProbe:
            exec:
              command:
                - sh
                - -c
                - |
                  (exit $(/usr/bin/supervisorctl -c /etc/supervisord_task.conf status | grep -vc RUNNING))
            initialDelaySeconds: {{ web_liveness_initial_delay }}
            periodSeconds: {{ web_liveness_period }}
            failureThreshold: {{ web_liveness_failure_threshold }}
            timeoutSeconds: {{ web_liveness_timeout }}
{% endif %}
{% if web_readiness_period|int > 0 %}
          readinessProbe:
            httpGet:
              path: /api/v2/ping/
              scheme: HTTP
              port: 8052
            initialDelaySeconds: {{ web_readiness_initial_delay }}
            periodSeconds: {{ web_readiness_period }}
            failureThreshold: {{ web_readiness_failure_threshold }}
            timeoutSeconds: {{ web_readiness_timeout }}
{% endif %}
          volumeMounts:
{% if public_base_url is defined %}
            - name: redirect-page
              mountPath: '/var/lib/awx/venv/awx/lib/python3.11/site-packages/awx/ui/build/index.html'
              subPath: redirect-page.html
{% endif %}
{% if bundle_ca_crt %}
            - name: "ca-trust-extracted"
              mountPath: "/etc/pki/ca-trust/extracted"
{% endif %}
            - name: {{ ansible_operator_meta.name }}-uwsgi-config
              mountPath: "/etc/tower/uwsgi.ini"
              subPath: uwsgi.conf
              readOnly: true
            - name: "{{ ansible_operator_meta.name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/execution_environments.py"
              subPath: execution_environments.py
              readOnly: true
            - name: "{{ ansible_operator_meta.name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/credentials.py"
              subPath: credentials.py
              readOnly: true
            - name: "{{ ansible_operator_meta.name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/ldap.py"
              subPath: ldap.py
              readOnly: true
{% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
            - name: "{{ ansible_operator_meta.name }}-nginx-certs"
              mountPath: "/etc/nginx/pki"
              readOnly: true
{% endif %}
{% if ldap_cacert_ca_crt %}
            - name: "{{ ansible_operator_meta.name }}-ldap-cacert"
              mountPath: /etc/openldap/certs/ldap-ca.crt
              subPath: ldap-ca.crt
              readOnly: true
{% endif %}
            - name: "{{ secret_key_secret_name }}"
              mountPath: /etc/tower/SECRET_KEY
              subPath: SECRET_KEY
              readOnly: true
            - name: {{ ansible_operator_meta.name }}-settings
              mountPath: /etc/tower/settings.py
              subPath: settings.py
              readOnly: true
            {{ lookup("template", "common/volume_mounts/extra_settings_files.yaml.j2")  | indent(width=12) | trim }}
            - name: {{ ansible_operator_meta.name }}-nginx-conf
              mountPath: /etc/nginx/nginx.conf
              subPath: nginx.conf
              readOnly: true
            - name: {{ ansible_operator_meta.name }}-redis-socket
              mountPath: "/var/run/redis"
            - name: rsyslog-socket
              mountPath: "/var/run/awx-rsyslog"
{% if projects_persistence|bool %}
            - name: "{{ ansible_operator_meta.name }}-projects"
              mountPath: "/var/lib/awx/projects"
{% endif %}
            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
              mountPath: "/etc/receptor/tls/ca/mesh-CA.crt"
              subPath: "tls.crt"
              readOnly: true
            - name: "{{ ansible_operator_meta.name }}-receptor-ca"
              mountPath: "/etc/receptor/tls/ca/mesh-CA.key"
              subPath: "tls.key"
              readOnly: true
            - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
              mountPath: "/etc/receptor/work_public_key.pem"
              subPath: "work-public-key.pem"
              readOnly: true
            - name: {{ ansible_operator_meta.name }}-web-log
              mountPath: /var/log/tower
{% if development_mode | bool %}
            - name: awx-devel
              mountPath: "/awx_devel"
{% endif %}
{% if web_extra_volume_mounts -%}
            {{ web_extra_volume_mounts | indent(width=12, first=True) }}
{% endif %}
          env:
            - name: AWX_COMPONENT
              value: "web"
            - name: SUPERVISOR_CONFIG_PATH
              value: "/etc/supervisord_web.conf"
            - name: MY_POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: MY_POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: UWSGI_MOUNT_PATH
              value: "{{ ingress_path }}"
{% if development_mode | bool %}
            - name: AWX_KUBE_DEVEL
              value: "1"
{% endif %}
{% if web_extra_env -%}
            {{ web_extra_env | indent(width=12, first=True) }}
{% endif %}
          resources: {{ web_resource_requirements }}
        - image: '{{ _image }}'
          name: '{{ ansible_operator_meta.name }}-rsyslog'
{% if rsyslog_command %}
          command: {{ rsyslog_command }}
{% endif %}
{% if rsyslog_args %}
          args: {{ rsyslog_args }}
{% endif %}
          imagePullPolicy: '{{ image_pull_policy }}'
          volumeMounts:
            - name: "{{ ansible_operator_meta.name }}-application-credentials"
              mountPath: "/etc/tower/conf.d/credentials.py"
              subPath: credentials.py
              readOnly: true
            - name: "{{ secret_key_secret_name }}"
              mountPath: /etc/tower/SECRET_KEY
              subPath: SECRET_KEY
              readOnly: true
            - name: {{ ansible_operator_meta.name }}-settings
              mountPath: "/etc/tower/settings.py"
              subPath: settings.py
              readOnly: true
            {{ lookup("template", "common/volume_mounts/extra_settings_files.yaml.j2")  | indent(width=12) | trim }}
            - name: {{ ansible_operator_meta.name }}-redis-socket
              mountPath: "/var/run/redis"
            - name: rsyslog-socket
              mountPath: "/var/run/awx-rsyslog"
{% if bundle_ca_crt  %}
            - name: "ca-trust-extracted"
              mountPath: "/etc/pki/ca-trust/extracted"
{% endif %}
{% if development_mode | bool %}
            - name: awx-devel
              mountPath: "/awx_devel"
{% endif %}
{% if rsyslog_extra_volume_mounts -%}
            {{ rsyslog_extra_volume_mounts | indent(width=12, first=True) }}
{% endif %}
          env:
            - name: SUPERVISOR_CONFIG_PATH
              value: "/etc/supervisord_rsyslog.conf"
{% if development_mode | bool %}
            - name: AWX_KUBE_DEVEL
              value: "1"
{% endif %}
{% if rsyslog_extra_env -%}
            {{ rsyslog_extra_env | indent(width=12, first=True) }}
{% endif %}
          resources: {{ rsyslog_resource_requirements }}
{% if web_node_selector %}
      nodeSelector:
        {{ web_node_selector | indent(width=8) }}
{% elif node_selector %}
      nodeSelector:
        {{ node_selector | indent(width=8) }}
{% endif %}
{% if web_topology_spread_constraints %}
      topologySpreadConstraints:
        {{ web_topology_spread_constraints | indent(width=8) }}
{% elif topology_spread_constraints %}
      topologySpreadConstraints:
        {{ topology_spread_constraints | indent(width=8) }}
{% endif %}
{% if web_tolerations %}
      tolerations:
        {{ web_tolerations| indent(width=8) }}
{% elif tolerations %}
      tolerations:
        {{ tolerations| indent(width=8) }}
{% endif %}
{% if web_affinity %}
      affinity:
        {{ web_affinity | to_nice_yaml | indent(width=8) }}
{% elif affinity %}
      affinity:
        {{ affinity | to_nice_yaml | indent(width=8) }}
{% endif %}
{% if security_context_settings|length %}
      securityContext:
        {{ security_context_settings | to_nice_yaml | indent(8) }}
{% endif %}
      volumes:
{% if public_base_url is defined %}
        - name: redirect-page
          configMap:
            name: '{{ ansible_operator_meta.name }}-redirect-page'
            items:
              - key: redirect-page.html
                path: redirect-page.html
{% endif %}
        - name: "{{ ansible_operator_meta.name }}-receptor-ca"
          secret:
            secretName: "{{ ansible_operator_meta.name }}-receptor-ca"
        - name: "{{ ansible_operator_meta.name }}-receptor-work-signing"
          secret:
            secretName: "{{ ansible_operator_meta.name }}-receptor-work-signing"
{% if bundle_ca_crt %}
        - name: "ca-trust-extracted"
          emptyDir: {}
        - name: "{{ ansible_operator_meta.name }}-bundle-cacert"
          secret:
            secretName: "{{ bundle_cacert_secret }}"
            items:
              - key: bundle-ca.crt
                path: 'bundle-ca.crt'
{% endif %}
{% if ingress_type | lower == 'route' and route_tls_termination_mechanism | lower == 'passthrough' %}
        - name: "{{ ansible_operator_meta.name }}-nginx-certs"
          secret:
            secretName: "{{ route_tls_secret }}"
            items:
              - key: tls.key
                path: 'web.key'
              - key: tls.crt
                path: 'web.crt'
{% endif %}
{% if ldap_cacert_ca_crt %}
        - name: "{{ ansible_operator_meta.name }}-ldap-cacert"
          secret:
            secretName: "{{ ldap_cacert_secret }}"
            items:
              - key: ldap-ca.crt
                path: 'ldap-ca.crt'
{% endif %}
        - name: "{{ ansible_operator_meta.name }}-application-credentials"
          secret:
            secretName: "{{ ansible_operator_meta.name }}-app-credentials"
            items:
              - key: credentials.py
                path: 'credentials.py'
              - key: ldap.py
                path: 'ldap.py'
              - key: execution_environments.py
                path: 'execution_environments.py'
        - name: "{{ secret_key_secret_name }}"
          secret:
            secretName: '{{ secret_key_secret_name }}'
            items:
              - key: secret_key
                path: SECRET_KEY
        - name: {{ ansible_operator_meta.name }}-settings
          configMap:
            name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
            items:
              - key: settings
                path: settings.py
        - name: {{ ansible_operator_meta.name }}-nginx-conf
          configMap:
            name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
            items:
              - key: nginx_conf
                path: nginx.conf
        - name: {{ ansible_operator_meta.name }}-redis-config
          configMap:
            name: {{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap
            items:
              - key: redis_conf
                path: redis.conf
        {{ lookup("template", "common/volumes/extra_settings_files.yaml.j2")  | indent(width=8) | trim }}
        - name: {{ ansible_operator_meta.name }}-uwsgi-config
          configMap:
            name: {{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap
            items:
              - key: uwsgi_conf
                path: uwsgi.conf
        - name: {{ ansible_operator_meta.name }}-redis-socket
          emptyDir: {}
        - name: {{ ansible_operator_meta.name }}-redis-data
          emptyDir: {}
        - name: rsyslog-socket
          emptyDir: {}
        - name: receptor-socket
          emptyDir: {}
        - name: {{ ansible_operator_meta.name }}-web-log
          emptyDir: {}
        - name: {{ ansible_operator_meta.name }}-receptor-config
          configMap:
            name: '{{ ansible_operator_meta.name }}-{{ deployment_type }}-configmap'
            items:
              - key: receptor_conf
                path: receptor.conf
{% if projects_persistence|bool %}
        - name: "{{ ansible_operator_meta.name }}-projects"
          persistentVolumeClaim:
{% if projects_existing_claim %}
            claimName: {{ projects_existing_claim }}
{% else %}
            claimName: '{{ ansible_operator_meta.name }}-projects-claim'
{% endif %}
{% endif %}
{% if development_mode | bool %}
        - name: awx-devel
          hostPath:
            path: /awx_devel
{% endif %}
{% if extra_volumes -%}
        {{ extra_volumes | indent(width=8, first=True) }}
{% endif %}
